Incomplete Sandbox Protection in Pipeline Scripts Allows Arbitrary Code Execution

Incomplete Sandbox Protection in Pipeline Scripts Allows Arbitrary Code Execution

CVE-2017-1000096 · MEDIUM Severity

AV:N/AC:L/AU:S/C:P/I:P/A:P

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

Learn more about our User Device Pen Test.